[Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

2012-10-19 Thread Kalbfleisch, Gary

For the past couple days my Mailman server has been hammered with automated 
subscription requests.  I've always seen a few here and there but nothing like 
this.  Thousands of them, exploiting the web interface and replying to 
confirmation email messages.  Many of our lists were open subscription and so 
some got through.  Not a lot though.  What's most annoying is that list owners 
are being inundated with confirmation request messages, and you cannot delete 
them all at once on the "Tend to pending moderator requests" screen.  You have 
to select "Discard" for each of them individually.  I don't know if this has 
been changed yet.   I am running 2.1.9 because that is the latest version 
available from Redhat as a package.  I had to block access to the web interface 
from off site at our router to stop the deluge of messages.  I have seen this 
starting to occur at some other Mailman sites as well.  Anyone else seeing this 
or have any ideas about how best to handle this?  I have it under con
 trol for now but it is changing the way we use our lists.


-- Gary Kalbfleisch
-- Director of Technology Support Services
-- Shoreline Community College
-- (206) 546-5813
-- (206) 546-6943 Fax


--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

2012-10-22 Thread Kalbfleisch, Gary

Hi Stephen,

Thank you for your reply.  My responses are below


> -Original Message-
> From: Stephen J. Turnbull [mailto:step...@xemacs.org]
> Sent: Friday, October 19, 2012 9:20 PM
> To: Kalbfleisch, Gary
> Cc: mailman-users@python.org
> Subject: [Mailman-Users] Automated Subscription Bots Inundating List
> Owners With Subscription Requests
> 
> > Kalbfleisch, Gary originally writes:
> 
>  > inundated with confirmation request messages, and you cannot delete
>  > them all at once on the "Tend to pending moderator requests"
>  > screen.  You have to select "Discard" for each of them
>  > individually.  I don't know if this has been changed yet.
>
> Stephen J. Turnbull writes:
> 
> As far as I can see, these are batchable (you only need to click
> "Submit" once -- version 2.1.15, but I doubt this has changed in many
> years).
> 
> Is your issue that the moderator has to tick each box?  I really don't
> think that should change; otherwise you would lose valid subscription
> requests when being attacked in this way.
> 
> Is the issue that lists get so many requests that it overflows the
> screen, and you can only do (say) 20 at once?
> 

Kalbfleisch, Gary responds:

Messages are batchable, but administrative tasks are not.  As you noted you 
must tick each box, and yes I'm talking pages and pages of bogus subscription 
requests.  Quite tedious.  I think these too should be batchable but perhaps 
separately.  What I would like to be able to do is to change all administrative 
messages to discard (or whatever) with one click, then go back and change the 
legitimate subscription requests back to accept.

>  > I had to block access to the web interface from off site at our
>  > router to stop the deluge of messages.
> 
> I think this is the best way to handle it.
> 
> There really ought to be a way for a host to request that a service be
> firewalled programmatically, although it would have to be designed
> *very* carefully.
> 

After analyzing the httpd logs I have identified three primary sources of the 
bogus subscription requests, the most predominant being associated with 
http://mailbait.info.  If you list admins out there are not familiar with 
mailbait.info you should check it out.  It is a service (I use that term 
loosely here) for filling up your inbox.  People submit hosts that send out 
email messages via web forms which are exploited for this purpose.  If you run 
it (and you can do this without filling in the email address field so you can 
see how it works) you will see that it skips from one Mailman site to another 
submitting bogus subscription requests.  As per the Mailbait FAQ, "MailBait 
does not condone using other people's email address with this service.", 
however they make no efforts to prevent it. 

You cannot filter on IP addresses because the source address is that of the 
person that runs it, not Mailbait itself.  I created an iptables filter that 
looks for the string "mailbait.info", which appears in the Referer field of 
most of the packets.   I investigated creating a filter utilizing the iptables 
"recent" directive, which filters on the number of consecutive hits per time 
period, but the hits are spread out between each host sufficiently to make this 
ineffective.  This is true for the other two sources (not associated with 
Mailbait)  I identified as well, which I traced to ISP DHCP ranges.

>  > I have seen this starting to occur at some other Mailman sites as
>  > well.  Anyone else seeing this or have any ideas about how best to
>  > handle this?  I have it under control for now but it is changing
>  > the way we use our lists.
> 
> Sadly, I don't see how that can be avoided.  The problem is the SMTP
> and HTTP protocols themselves, which have no easily used provision for
> authentication or authorization of clients.  (How many students do you
> know who walk around with a personal X.509 certificate?)
> 
> If you have suggestions for the admin interface, that would be very
> helpful.  Even if you don't have a lot of confidence in them, this is
> a hard problem that requires wild ideas.
> 

CAPTCHA for subscription requests would go a long way in preventing this type 
of exploitation.

Thank you,

-- Gary Kalbfleisch 
-- Director of Technology Support Services 
-- Shoreline Community College 
-- (206) 546-5813 
-- (206) 546-6943 Fax 




--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

2012-10-22 Thread Kalbfleisch, Gary
I personally don't care for CAPTCHA but it exists for a reason.   If anyone can 
suggest a better solution I would love to here it.  Right now Mailman is being 
exploited to email bomb individuals and DOS email systems.  This cannot 
continue.

Gary Kalbfleisch 

Sent from my iPod

On Oct 22, 2012, at 6:08 PM, "Brad Knowles"  wrote:

> On Oct 22, 2012, at 5:40 PM, Stephen J. Turnbull  
> wrote:
> 
>> I'm dubious about the net value of CAPTCHAs.  Personally, I generally
>> take a CAPTCHA as a "NO TRESPASSING -- THIS MEANS YOU!" sign, and
>> don't go back.
> 
> CAPTCHAs are already at the point where advanced code can apply statistical 
> methods and solve them faster and better than many humans.
> 
> Moreover, they have been problematic for a long time -- see 
> , 
> ,
>  and 
> ,
>  among others.
> 
> 
> IMO, CAPTCHAs have already jumped the shark.
> 
> --
> Brad Knowles 
> LinkedIn Profile: 
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

2012-10-23 Thread Kalbfleisch, Gary


Note that for the majority of what I  have seen in this attack it is the return 
email messages that the exploiters desire.  I have seen some subscriptions 
actually get through but I have not seen them exploited in any way other than 
to add to the flood of emails to the subscriber.  I have seen some evidence 
that these accounts may have been used in an attempt to harvest email address.  
I have of course deleted all of these accounts so I won't have the opportunity 
to observe how else they might be used.

 As a result of this activity I have changed all lists so that confirmation is 
required for all subscriptions, and only list owners can view the list of 
subscribers.  The confirmations don't actually solve the email bombing problem 
but it will keep bogus subscriptions to a minimum.  I have implemented some 
iptables filters as noted previously but I have not yet opened up the web 
interface externally.  I have been monitoring traffic directed to port 80 on my 
Mailman server and it has gone down significantly since I put up the block.  I 
may open it up again next week to see how my iptables filters work.


-- Gary Kalbfleisch 
-- Director of Technology Support Services 
-- Shoreline Community College 
-- (206) 546-5813 
-- (206) 546-6943 Fax 


> -Original Message-
> From: Mailman-Users [mailto:mailman-users-
> bounces+garyk=shoreline@python.org] On Behalf Of jdd
> Sent: Tuesday, October 23, 2012 8:42 AM
> To: mailman-users@python.org
> Subject: Re: [Mailman-Users] Automated Subscription Bots Inundating List
> Owners With Subscription Requests
> 
> Le 23/10/2012 17:17, Carl Zwanzig a écrit :
> 
> 
> > I've used a similar method for help email to places like yahoo. At the
> > bottom of the text I ask "Please tell me your favorite color so I know
> > I'm working with a real person." Seems to work.
> 
> yes I also have "public" passwd on a wiki. By the way the pas is not on the
> wiki page but on the mail I send to user.
> 
> that said there are some real human paid to catch web site, and against that
> no luck :-(
> 
> jdd
> 
> 
> --
> http://www.dodin.org
> http://jddtube.dodin.org/20120616-52-highway_v1115
> --
> Mailman-Users mailing list Mailman-Users@python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy:
> http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-
> archive.com/mailman-users%40python.org/
> Unsubscribe: http://mail.python.org/mailman/options/mailman-
> users/garyk%40shoreline.edu
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


Re: [Mailman-Users] Too many recipients

2012-10-23 Thread Kalbfleisch, Gary

Am I understanding correctly that the list itself is a member of the list?  
Sounds like an email loop to me.   What are you trying to do?


-- Gary Kalbfleisch 
-- Director of Technology Support Services 
-- Shoreline Community College 
-- (206) 546-5813 
-- (206) 546-6943 Fax 






> -Original Message-
> From: Mailman-Users [mailto:mailman-users-
> bounces+garyk=shoreline@python.org] On Behalf Of Rodrigo Abrantes
> Antunes
> Sent: Tuesday, October 23, 2012 9:19 AM
> To: mailman-users@python.org
> Subject: Re: [Mailman-Users] Too many recipients
> 
> Citando Rodrigo Abrantes Antunes :
> >
> > Hi, when I try to send an e-mail to my list (only one recipient, the
> > list itself), I get these:
> >
> >In mailman's smtp logs:
> >Oct 22 13:26:17 2012 (22940)  smtp to contas for 828
> > recips, completed in 1.705 seconds
> >
> >In mailman's post logs:
> >Oct 22 13:26:17 2012 (22940) post to contas from xxx@,
> > size=3620, message-id=, 450 failures
> >
> >In mailman's smtp-failure logs:
> >Oct 22 13:26:17 2012 (22940) delivery to xxx@x failed with code
> > 452: 4.5.3 Error: too many recipients
> >
> >In my mm_cfg.py I have this:
> >DEFAULT_MAX_NUM_RECIPIENTS = 0
> >
> >Any ideas?
> >
> Searching google I found that this error isn't related to the number of users 
> in
> the list, it occurs because the total number of addresses in the
> To: and Cc: headers of the post equals or exceeds max_num_recipients. But
> in documentation is said that if this option is set to 0 it has no limit.
> And my post have only one recipient in To:, the list itself. So what may be
> causing this?
> --
> Mailman-Users mailing list Mailman-Users@python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy:
> http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-
> archive.com/mailman-users%40python.org/
> Unsubscribe: http://mail.python.org/mailman/options/mailman-
> users/garyk%40shoreline.edu
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

2012-10-29 Thread Kalbfleisch, Gary

I like to stick with packages when possible because it makes maintenance much 
easier.  This is really a non-issue since the current version of Mailman does 
not have a fix for this problem.  

Thank you,



-- Gary Kalbfleisch 
-- Director of Technology Support Services 
-- Shoreline Community College 
-- (206) 546-5813 
-- (206) 546-6943 Fax 






> -Original Message-
> From: Mailman-Users [mailto:mailman-users-
> bounces+garyk=shoreline@python.org] On Behalf Of Lindsay Haisley
> Sent: Monday, October 29, 2012 11:25 AM
> To: mailman-users@python.org
> Subject: Re: [Mailman-Users] Automated Subscription Bots Inundating List
> Owners With Subscription Requests
> 
> On Thu, 2012-10-18 at 23:53 +, Kalbfleisch, Gary wrote:
> > I am running 2.1.9 because that is the latest version available from
> > Redhat as a package.
> 
> It's relatively simple to install Mailman from the source package, but one
> thing that would help a great deal with this would be default inclusion in the
> built package of a standard text or script that would contain, or issue, the
> arguments provided to configure during the build process.  There are several
> critical parameters including the prefix, the var-prefix and of course the 
> mail-
> gid which ought to be readily available for this purpose.
> 
> If you've already built Mailman from source, this information is of course
> available in the config.log, but for people installing Mailman from an
> outdated package from a distribution, and wanting to catch up with the latest
> improvements or security fixes, having this information available as part of
> the distributed end product would be a big help.
> This is already done for many large and complex packages, would be a big
> help in making the transition from a pre-built Mailman package to a source-
> based update.
> 
> Maybe this information is already available.  I only spent about 5 minutes
> looking for it outside of the source tree and couldn't find it.
> 
> --
> Lindsay Haisley   | "Behold! Our way lies through a
> FMP Computer Services |dark wood whence in which
> 512-259-1190  |  weirdness may wallow!”
> http://www.fmp.com|   --Beauregard
> 
> --
> Mailman-Users mailing list Mailman-Users@python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy:
> http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-
> archive.com/mailman-users%40python.org/
> Unsubscribe: http://mail.python.org/mailman/options/mailman-
> users/garyk%40shoreline.edu
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

2012-10-29 Thread Kalbfleisch, Gary

Don't assume that I don't have the skills.   I have been building the linux os 
from source since long before most people even heard of the Internet.  I manage 
my time very carefully, and mailman is a very small part of what I do.  The 
newest version of mailman does not resolve any of the issues that I have  been 
expiriencing if you have read my posts.  I have implemented the security 
measures required using other means until such a time that they are resolved in 
mailman.

Regards

Gary Kalbfleisch 

Sent from my iPod

On Oct 29, 2012, at 8:37 PM, "Lindsay Haisley"  wrote:

> On Mon, 2012-10-29 at 21:04 +, Kalbfleisch, Gary wrote:
>> I like to stick with packages when possible because it makes
>> maintenance much easier.
> 
> As do I.  There are times, however, when mission-critical packages in a
> distribution are outdated, or absent, or broken and building from source
> is the only option.  IMHO, having the knowledge and the tools on one's
> system to do builds from the upstream source is an important system
> administration skill.  I always seem to have one or two packages on any
> box that end up being built from source.  Mailman is one of them,
> because I have a number of patches for it that I've developed, and
> because building and installing it from source is very easy.
> 
> Juggling packages vs. upstream source is something you get used to.  All
> package management system that I know of have ways of freezing packages
> at a certain level or version so that your custom builds don't get
> crosswise of package management.
> 
> -- 
> Lindsay Haisley   | "Real programmers use butterflies"
> FMP Computer Services |
> 512-259-1190  |   - xkcd
> http://www.fmp.com|
> 
> --
> Mailman-Users mailing list Mailman-Users@python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> http://mail.python.org/mailman/options/mailman-users/garyk%40shoreline.edu
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


[Mailman-Users] I did not submit a request to unsubscribe from mailman-users

2012-10-30 Thread Kalbfleisch, Gary

I received three unsubscribe confirmations over night.  I did not initiate 
these. The source IP's resolve to India and Sri Lanka.  Is it just me or is 
this happening to other subscribers?


-- Gary Kalbfleisch
-- Director of Technology Support Services
-- Shoreline Community College
-- (206) 546-5813
-- (206) 546-6943 Fax


--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org


Re: [Mailman-Users] I did not submit a request to unsubscribe from mailman-users

2012-10-30 Thread Kalbfleisch, Gary

Sounds familiar.  Please see the thread "Automated Subscription Bots Inundating 
List Owners With Subscription Requests" if you haven't already.


-- Gary Kalbfleisch 
-- Director of Technology Support Services 
-- Shoreline Community College 
-- (206) 546-5813 
-- (206) 546-6943 Fax 





-Original Message-
From: Mailman-Users 
[mailto:mailman-users-bounces+garyk=shoreline@python.org] On Behalf Of Ralf 
Hildebrandt
Sent: Tuesday, October 30, 2012 6:52 AM
To: mailman-users@python.org
Subject: Re: [Mailman-Users] I did not submit a request to unsubscribe from 
mailman-users

* Kalbfleisch, Gary :
 
> I received three unsubscribe confirmations over night.  I did not 
> initiate these. The source IP's resolve to India and Sri Lanka.  Is it 
> just me or is this happening to other subscribers?

Not to me, but we're also seeing subscription requests that are reported as 
spam by the victims at yahoo.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
--
Mailman-Users mailing list Mailman-Users@python.org 
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: 
http://wiki.list.org/x/QIA9 Searchable Archives: 
http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/garyk%40shoreline.edu
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org